ICH Q9 Quality Risk Management

ICH Q9:
QUALITY RISK MANAGEMENTQUALITY RISK MANAGEMENT
1
Seetharam KandarpaSeetharam KandarpaSeetharam KandarpaSeetharam Kandarpa
ASQASQASQASQ----CPGP & ASQCPGP & ASQCPGP & ASQCPGP & ASQ----CQACQACQACQA

Objective
• Introduction to ICH Q9: Quality Risk
Management
• Guiding through the content of the ICH• Guiding through the content of the ICH
Q9 document
• Providing some considerations, possible
interpretations and where appropriate
examples
2

Introduction to
ICH Q9: Quality Risk Management (QRM)
• Document is available on the ICH Webpage
www.ich.org
3

Introduction to
ICH Q9: Quality Risk Management (QRM)
ICH Q9ICH Q9
4

Basic Terms
• Harm:
– Damage to health, including the damage that can occur from
loss of product quality or availability.
• Hazard:
– The potential source of harm (ISO/IEC Guide 51).
• Risk:• Risk:
– The combination of the probability of occurrence of harm and the
severity of that harm (ISO/IEC Guide 51).
• Severity:
– A measure of the possible consequences of a hazard.
• Detectability:
– The ability to discover or determine the existence, presence, or
fact of a hazard.
5

Basic Terms
• Quality:
– The degree to which a set of inherent properties of a product,
system or process fulfills requirements (see ICH Q6A definition
specifically for "quality" of drug substance and drug (medicinal)
products.)
• Quality Risk Management:
– A systematic process for the assessment, control,– A systematic process for the assessment, control,
communication and review of risks to the quality of the drug
(medicinal) product across the product lifecycle.
• Quality System:
– The sum of all aspects of a system that implements quality policy
and ensures that quality objectives are met.
6

Basic Terms
• Risk Assessment:
– A systematic process of organizing information to support a risk
decision to be made within a risk management process. It
consists of the identification of hazards and the analysis and
evaluation of risks associated with exposure to those hazards.
• Risk Identification:
– The systematic use of information to identify potential sources of– The systematic use of information to identify potential sources of
harm (hazards) referring to the risk question or problem
description.
• Risk Analysis:
– The estimation of the risk associated with the identified hazards.
• Risk Evaluation:
– The comparison of the estimated risk to given risk criteria using
a quantitative or qualitative scale to determine the significance of
the risk. 7

Basic Terms
• Risk Control:
– Actions implementing risk management decisions (ISO Guide
73).
• Risk Reduction:
– Actions taken to lessen the probability of occurrence of harm and
the severity of that harm.
Risk Acceptance:• Risk Acceptance:
– The decision to accept risk (ISO Guide 73).
• Risk Management:
– The systematic application of quality management policies,
procedures, and practices to the tasks of assessing, controlling,
communicating and reviewing risk.
8

Basic Terms
• Risk Communication:
– The sharing of information about risk and risk management
between the decision maker and other stakeholders.
• Risk Review:
– Review or monitoring of output/results of the risk management
process considering (if appropriate) new knowledge and
experience about the risk.experience about the risk.
• Requirements:
– The explicit or implicit needs or expectations of the patients or
their surrogates (e.g., health care professionals, regulators and
legislators). In this document, “requirements” refers not only to
statutory, legislative, or regulatory requirements, but also to such
needs and expectations.
9

Basic Terms
• Decision Maker(s):
– Person(s) with the competence and authority to make
appropriate and timely quality risk management decisions.
• Product Lifecycle:
– All phases in the life of the product from the initial development
through marketing until the product’s discontinuation.
Trend:• Trend:
– A statistical term referring to the direction or rate of change of a
variable(s).
• Stakeholder:
– Any individual, group or organization that can affect, be affected
by, or perceive itself to be affected by a risk. Decision makers
might also be stakeholders. For the purposes of this guideline,
the primary stakeholders are the patient, healthcare
professional, regulatory authority, and industry. 10

Table of contents
1. Introduction
2. Scope
3. Principles of Quality Risk Management
4. General Quality Risk Management Process
5. Risk Management Methodology5. Risk Management Methodology
Annex I: Risk Management Methods and Tools
6. Integration of QRM process
into Industry and Regulatory operations
Annex II: Potential Applications for QRM
7. Definitions
8. References
11

1. Introduction
Risk Management
Quality Risk Management
Quality Systems
Harm
SeveritySeverity
Stakeholder
Product Life Cycle
GMP Compliance
12

This guideline provides
principles & examples of tools
of quality risk management that can be applied to
different aspects of pharmaceutical quality.
2. Scope
different aspects of pharmaceutical quality.
These aspects include development, manufacturing,
distribution, and the inspection and submission/review
processes throughout the lifecycle
of drug substances, drug (medicinal) products,
biological and biotechnological products
13

2. Scope
• Drug substances,
• Drug (medicinal) products,
• Biological and biotechnological products
Including the selection and use ofIncluding the selection and use of
– Raw materials
– Solvents
– Excipients
– Packaging and labelling materials
– Components
14

3. Principles of Quality Risk Management
Two primary principles:
The evaluation of
the risk to quality
The level of effort,
formality andthe risk to quality
should be based on
scientific knowledge
and ultimately link
to the protection
of the patient
formality and
documentation
of the quality risk
management process
should be commensurate
with the level of risk
15

Systematic processes
designed todesigned to
coordinate, facilitate and improve
sciencescience--based decision makingbased decision making
with respect to risk to quality
16

on
Risk Assessment
Risk Evaluation
unacceptable
Risk Analysis
Risk Identification
Initiate
Quality Risk Management Process
Ris
Team
approach
Risk Review
RiskCommunicatio
Risk Control
Risk Reduction
Review Events
Risk Acceptance
Output / Result of the
skManagementtools
17

Decision makers:
Person(s)
with competence and authority
to make a decision
• Ensuring that
ongoing Quality Risk Management processes operate
• Coordinating
quality risk management process
across various functions and departments
• Supporting
the team approach
Management
responsibility
18

Team approach
• Usually, but not always, undertaken by interdisciplinary
teams from areas appropriate to the risk being considered
e.g.
– Quality unit– Quality unit
– Development
– Engineering / Statistics
– Regulatory affairs
– Production operations
– Business, Sales and Marketing
– Legal
– Medical / Clinical
– &… Individuals knowledgeable of the QRM processes
19

When to initiate and plan a QRM Process
• First define the question which should be answered (e.g.
a problem and/or risk question)
– including pertinent assumptions identifying
the potential for risk
Risk Review
RiskCommunication
Risk Assessment
Risk Evaluation
unacceptable
Risk Control
Risk Analysis
Risk Reduction
Risk Identification
Review Events
Risk Acceptance
Initiate Quality
Risk Management Process
Output / Result of the Quality
RiskManagementtools
the potential for risk
• Then assemble background information and/ or data on
the potential hazard, harm or human health impact
relevant to the risk
– Identify a leader and necessary resources
– Specify a timeline, deliverables and
appropriate level of decision making
for the QRM process
20

Should risks
be assessed?
Are there clear rules
for decision making?
e.g. regulations
When to apply Quality Risk Management?
1. What might go wrong?
2. What is the likelihood (probability)
it will go wrong?
3. What are the consequences (severity)?No or
justification needed
Can you answer
the risk assessment
questions? No
Yes
“no RM“
Risk assessment not required
(No flexibility)
Follow procedures
(e.g. Standard Operating Procedures)
Document results,
decisions and actions
questions?
Yes
“informal RM“
Initiate Risk assessment
(risk identification, analysis & evaluation)
Run risk control
(select appropriate measures)
Agree on a team
(small project)
Select a Risk Management tool
(if appropriate e.g. see ICH Q9 Annex I)
No
“formal RM“
Carry out the
quality risk management process
Document the steps
21

• Risk Identification
What might go wrong?
• Risk Analysis
Risk Assessment
3 fundamental
questions
Risk Review
RiskCommunication
Risk Assessment
Risk Evaluation
unacceptable
Risk Control
Risk Analysis
Risk Reduction
Risk Identification
Review Events
Risk Acceptance
Initiate Quality
RiskManagementtools
What is the likelihood (probability) it will go wrong?
• Risk Evaluation
What are the consequences (severity)?
Note: People often use terms
“Risk analysis”, “Risk assessment” and
“Risk management” interchangeably
which is incorrect!
22

“What might go wrong?”
• A systematic use of information
Risk Assessment: Risk Identification
Risk Review
RiskCommunication
Risk Assessment
Risk Evaluation
unacceptable
Risk Control
Risk Analysis
Risk Reduction
Risk Identification
Review Events
Risk Acceptance
Initiate Quality
RiskManagementtools
• A systematic use of information
to identify hazards
referring to the risk question or problem
– historical data
– theoretical analysis
– informed opinions
– concerns of stakeholders
23

“What is the likelihood it will go wrong?”
• The estimation of the risk
Risk Assessment: Risk Analysis
Risk Review
RiskCommunication
Risk Assessment
Risk Evaluation
unacceptable
Risk Control
Risk Analysis
Risk Reduction
Risk Identification
Review Events
Risk Acceptance
Initiate Quality
RiskManagementtools
• The estimation of the risk
associated with the identified hazards.
• A qualitative or quantitative process of linking the
likelihood of occurrence and severity of harm
• Consider detectability if applicable
(used in some tools)
24

Risk Assessment: Risk Analysis
Often data driven
Keep in mind:
Statistical approach may or may not be
usedused
• Maintain a robust data set!
• Start with the more extensive data set and reduce it
• Trend and use statistics (e.g. extrapolation)
• Comparing between different sets requires compatible
data
• Data must be reliable
• Data must be accessible Risk Review
RiskCommunication
Risk Assessment
Risk Evaluation
unacceptable
Risk Control
Risk Analysis
Risk Reduction
Risk Identification
Review Events
Risk Acceptance
Initiate Quality
RiskManagementtools
25

“What is the risk?”
• Compare the identified and analysed risk
against given risk criteria
Risk Assessment: Risk Evaluation
Risk Review
RiskCommunication
Risk Assessment
Risk Evaluation
unacceptable
Risk Control
Risk Analysis
Risk Reduction
Risk Identification
Review Events
Risk Acceptance
Initiate Quality
RiskManagementtools
against given risk criteria
• Consider the strength of evidence
for all three of the fundamental questions
– What might go wrong?
– What is the likelihood (probability) it will go wrong?
– What are the consequences (severity)?
26

Risk Assessment: Risk Evaluation
A picture of the life cycle
Probability Detectability Severity
= Risk Priority Number
x x
past today future
Datarefersto
time
Impact
Canyoufindit?
•Frequency of
“occurences”
driven by
the number
of trials
•Degree
of belief
27

Risk Control: Decision-making activity
• Is the risk above an acceptable level?
• What can be done to reduce or eliminate risks?
Risk Review
RiskCommunication
Risk Assessment
Risk Evaluation
unacceptable
Risk Control
Risk Analysis
Risk Reduction
Risk Identification
Review Events
Risk Acceptance
Initiate Quality
RiskManagementtools
• What can be done to reduce or eliminate risks?
• What is the appropriate balance
between benefits, risks and resources?
• Are new risks introduced as
a result of the identified
risks being controlled?
28

Risk Control: Residual Risk
• The residual risk consists of e.g.
– Hazards that have been assessed and
risks that have been accepted
– Hazards which have been identified but
the risks have not been correctly assessed
– Hazards that have not yet been identified
– Hazards which are not yet linked to the patient risk
• Is the risk reduced to an acceptable level?
– Fulfil all legal and internal obligations
– Consider current scientific knowledge & techniques
Risk Review
RiskCommunication
Risk Assessment
Risk Evaluation
unacceptable
Risk Control
Risk Analysis
Risk Reduction
Risk Identification
Review Events
Risk Acceptance
Initiate Quality
RiskManagementtools
29

Risk Control: Risk Reduction
• Mitigation or avoidance of quality risk
• Elimination of risks, where appropriate
Risk Review
RiskCommunication
Risk Assessment
Risk Evaluation
unacceptable
Risk Control
Risk Analysis
Risk Reduction
Risk Identification
Review Events
Risk Acceptance
Initiate Quality
RiskManagementtools
• Focus actions on severity and/or probability
of harm; don’t forget detectability
• It might be appropriate to revisit the
risk assessment during the life cycle
for new risks or increased significance
of existing risks
30

Risk Control: Risk Acceptance
• Decision to
> Accept the residual risk
Risk Review
RiskCommunication
Risk Assessment
Risk Evaluation
unacceptable
Risk Control
Risk Analysis
Risk Reduction
Risk Identification
Review Events
Risk Acceptance
Initiate Quality
RiskManagementtools
> Passively accept non specified residual risks
• May require support by (senior) management
> Applies to both industry and competent authorities
• Will always be made on a case-by-case basis
31

• Discuss the appropriate balance between
benefits, risks, and resources
• Focus on the patients’ interests and
good science/data
• Risk acceptance is not
– Inappropriately interpreting
data and information
– Hiding risks from management /
competent authorities Risk Review
RiskCommunication
Risk Assessment
Risk Evaluation
unacceptable
Risk Control
Risk Analysis
Risk Reduction
Risk Identification
Review Events
Risk Acceptance
Initiate Quality
RiskManagementtools
32

What is an “acceptable risk”?
Who has to accept risk?
• Decision Maker(s)
– Person(s) with the competence and authority
to make appropriate and timely
quality risk management decisions
• Stakeholder
– Any individual, group or organization
that can …be affected by a risk
– Decision makers might also be stakeholders
– The primary stakeholders are the patient, healthcare
professional, regulatory authority, and industry
– The secondary stakeholders are
patient associations, public opinions, politicians
33

A Risk
Acceptance process
1/3 Finish baseline for
risk acceptance decision
risk identification, risk analysis,
risks evaluation, risks reduction
Risk reduction step
finished
Risk Review
RiskCommunication
Risk Assessment
Risk Evaluation
unacceptable
Risk Control
Risk Analysis
Risk Reduction
Risk Identification
Review Events
Risk Acceptance
Initiate Quality
RiskManagementtools
Yes
Stakeholders
involved as appropiate?
Revisit
risk assessment step
All identified
risks assessed?
No
Yes
No
34

A Risk
Evaluate measures
on severity, probability, detectability
Check needed resources
e.g. employee, money
Measures/
actions needed?
Yes
A Risk
Acceptance
process
2/3
Risk Review
RiskCommunication
Risk Assessment
Risk Evaluation
unacceptable
Risk Control
Risk Analysis
Risk Reduction
Risk Identification
Review Events
Risk Acceptance
Initiate Quality
RiskManagementtools
Measures / Actions
appropriate?
No
Yes
Revisit
risk reduction step
Other hazards
caused?
Yes
Is a risk
reducible?
No
No
35

A Risk Acceptance process 3/3
Is a risk
reducible?
Yes
No
Risk Review
RiskCommunication
Risk Assessment
Risk Evaluation
unacceptable
Risk Control
Risk Analysis
Risk Reduction
Risk Identification
Review Events
Risk Acceptance
Initiate Quality
RiskManagementtools
Accept the
residual risk?
Ready for communication
Accept risk
Sign off documentation
Advantage
outweighs risk?
Yes No
Yes
Risk not acceptable
Sign off documentation
Revisit
risk assessment step
No
36

• Bi-directional sharing of information about risk and risk
management
between the decision makers and others
Risk Communication
Risk Review
RiskCommunication
Risk Assessment
Risk Evaluation
unacceptable
Risk Control
Risk Analysis
Risk Reduction
Risk Identification
Review Events
Risk Acceptance
Initiate Quality
RiskManagementtools
• Communicate at any stage of the QRM process
• Communicate and document
the output/result of the QRM process appropriately
• Communication need not be carried out
for each and every individual risk acceptance
• Use existing channels as specified in
regulations, guidance and SOP’s
37

• Exchange or sharing of information, as appropriate
Risk Communication
Risk Review
RiskCommunication
Risk Assessment
Risk Evaluation
unacceptable
Risk Control
Risk Analysis
Risk Reduction
Risk Identification
Review Events
Risk Acceptance
Initiate Quality
RiskManagementtools
• Sometimes formal sometimes informal
– Improve ways of thinking and communicating
• Increase transparency
38

Quality risk management
Communication
facilitates trust
and understanding
Industry
operation
- Submissions
- Manufacturing
Regulators
operation
- Reviews
- Inspections
39

Risk review: Review Events
• Review the output / results of the QRM process
• Take into account new knowledge and experience
Risk Review
RiskCommunication
Risk Assessment
Risk Evaluation
unacceptable
Risk Control
Risk Analysis
Risk Reduction
Risk Identification
Review Events
Risk Acceptance
Initiate Quality
RiskManagementtools
• Take into account new knowledge and experience
• Utilise for planned or unplanned events
• Implement a mechanism to review or monitor events
• Reconsideration of risk acceptance decisions,
as appropriate
40

5. Risk Management Methodology
One method
Risk Review
RiskCommunication
Risk Assessment
Risk Evaluation
unacceptable
Risk Control
Risk Analysis
Risk Reduction
Risk Identification
Review Events
Risk Acceptance
Initiate Quality
RiskManagementtools
One method
“all inclusive”?
41

Expectations on methods and tools
• Supports science-based decisions
• A great variety are listed but other existing or
new ones might also be used
• No single tool is appropriate for all cases• No single tool is appropriate for all cases
• Specific risks do not always require the same tool
• Using a tool the level of detail of an investigation will vary
according to the risk from case to case
• Different companies, consultancies and competent
authorities may promote use of different tools based on
their culture and experiences
42

Contributing items to manage quality risks
• System Risk (facility & people)
– e.g. interfaces, operators risk, environment,
components such as equipment, IT, design elements
• System Risk (organisation)
– e.g. Quality systems, controls, measurements,– e.g. Quality systems, controls, measurements,
documentation, regulatory compliance
• Process Risk
– e.g. process operations and quality parameters
• Product Risk (safety & efficacy)
– e.g. quality attributes:
measured data according to specifications
43

• Supports a scientific and practical approach to
decision-making
• Accomplishing steps of the QRM process
Risk Review
RiskCommunication
Risk Assessment
Risk Evaluation
unacceptable
Risk Control
Risk Analysis
Risk Reduction
Risk Identification
Review Events
Risk Acceptance
Initiate Quality
RiskManagementtools
– Provides documented, transparent and
reproducible methods
– Assessing current knowledge
– Assessing probability, severity and
sometimes detectability
44

• Adapt the tools for use in specific areas
• Combined use of tools may provide flexibility
• The degree of rigor and formality of QRM
Risk Review
RiskCommunication
Risk Assessment
Risk Evaluation
unacceptable
Risk Control
Risk Analysis
Risk Reduction
Risk Identification
Review Events
Risk Acceptance
Initiate Quality
RiskManagementtools
• The degree of rigor and formality of QRM
– Should be commensurate with the complexity and
/ or criticality of the issue to be addressed and
reflect available knowledge
• Informal ways
– empirical methods and / or
internal procedures
45

Annex I: Risk Management Methods and Tools
• Provides a general overview of
and references for some of the primary tools
• Might be used in QRM by industry and regulators
• This is not an exhaustive list
Risk Review
RiskCommunication
Risk Assessment
Risk Evaluation
unacceptable
Risk Control
Risk Analysis
Risk Reduction
Risk Identification
Review Events
Risk Acceptance
Initiate Quality
RiskManagementtools
• This is not an exhaustive list
• No one tool or set of tools is applicable to every situation
in which a QRM procedure is used
• For each of the tools
– Short description & reference
– Strength and weaknesses
– Purely illustrative examples
46

Overview: Some tools and their key words
• Failure Mode Effects Analysis (FMEA)
– Break down large complex processes into manageable steps
• Failure Mode, Effects and Criticality Analysis (FMECA)
– FMEA & links severity, probability & detectability to criticality
• Fault Tree Analysis (FTA)
– Tree of failure modes combinations with logical operators
Risk Review
RiskCommunication
Risk Assessment
Risk Evaluation
unacceptable
Risk Control
Risk Analysis
Risk Reduction
Risk Identification
Review Events
Risk Acceptance
Initiate Quality
RiskManagementtools
– Tree of failure modes combinations with logical operators
• Hazard Analysis and Critical Control Points (HACCP)
– Systematic, proactive, and preventive method on criticality
• Hazard Operability Analysis (HAZOP)
– Brainstorming technique
• Preliminary Hazard Analysis (PHA)
– Possibilities that the risk event happens
• Risk ranking and filtering
– Compare and prioritize risks with factors for each risk
47

• Supporting statistical tools
– Acceptance Control Charts (see ISO 7966)
– Control Charts (for example)
Control Charts with Arithmetic Average and
Warning Limits (see ISO 7873)
Risk Review
RiskCommunication
Risk Assessment
Risk Evaluation
unacceptable
Risk Control
Risk Analysis
Risk Reduction
Risk Identification
Review Events
Risk Acceptance
Initiate Quality
RiskManagementtools
Cumulative Sum Charts; “CuSum” (see ISO 7871)
Shewhart Control Charts (see ISO 8258)
Weighted Moving Average
– Design of Experiments (DOE)
Pareto Charts
– Process Capability Analysis
– Histograms
– Use others that you are familiar with….
48

Q9 does not provide
“drivers licences”
49

6. Integration into
Industry and Regulatory Operations
• Foundation for “science-based” decisions
• Does not obviate industry’s obligation
to comply with regulatory requirements
• May affect the extent and level• May affect the extent and level
of direct regulatory oversight
• Degree of rigor and formality commensurate with the
complexity and/or criticality of the issue
• Implement QRM principles when updating
existing guidelines
50

This Annex is intended to identify potential uses of quality risk
management principles and tools by industry and regulators.
However, the selection of particular risk management tools is
completely dependent upon specific facts and circumstances.completely dependent upon specific facts and circumstances.
These examples are provided for illustrative purposes and
only suggest potential uses of quality risk management.
This Annex is not intended to create any new expectations
beyond the current regulatory requirements.
51

Quality risk management as part of
• Integrated quality management
– Documentation
– Training and education
Competent
authorities– Training and education
– Quality defects
– Auditing / Inspection
– Periodic review
– Change management / change control
– Continual improvement
authorities
Industry
52

Annex II: Potential opportunities
for conducting quality risk management
Competent
authorities
Quality risk management as part of
• Regulatory operations
> Inspection and assessment activities
• Industry operations
– Development
– Facilities, equipment and utilities
– Materials management
– Production
– Laboratory control and stability testing
– Packaging and labelling
Competent
authorities
Industry
53

COMMUNICATION
Failure Mode, Effects & Criticality Analysis FMECA
FTA
Preliminary Hazard Analysis
Fault Tree Analysis
QUALITY SYSTEM
ICH Q9
Quality Risk
Management
TOOLS
FMEA
Hazard Analysis & Critical Control Points
Failure Mode Effect Analysis
Hazard Operatibility Analysis
MATERIALS
PRODUCTION
54

mmunication
Risk Assessment
Risk Evaluation
unacceptable
Risk Control
Risk Analysis
Risk Reduction
Risk Identification
Initiate
RiskManagem
Use the right “risk” expressionUse the right “risk” expression
please!
Risk Review
RiskCom
Review Events
Risk Acceptance
Output / Result of the
menttools
55

ICH Q9 Quality Risk Management

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to ICH Q9 Quality Risk Management

Similar to ICH Q9 Quality Risk Management (20)

Recently uploaded

Recently uploaded (20)

ICH Q9 Quality Risk Management